* Software-as-a-Service is in much greater use than Infrastructure-as-a-Service or Platform-as-a-Service. Over half of respondents make moderate or significant use of SaaS. Less than a quarter of all respondents make any use of either IaaS or PaaS.

+

+

* Security spending does not change significantly as a result of cloud computing. Respondents did not report significant spending changes in the areas of network security, third party security reviews, security personnel, or identity management.

+

+

* Organizations are not doing their homework when it comes to cloud security. When engaging a cloud partner, only half of organizations inquire about common security-related issues, and only a third require documentation of security measures in place.

+

+

* The risk of an undetected data breach is the greatest concern with using cloud computing, closely followed by the risk of a public data breach.

+

+

* Compliance and standards requirements related to cloud computing are not well understood. Respondents report having the greatest understanding of PCI requirements relating to cloud computing and the least understanding of HIPAA cloud requirements.

+

+

+

== Security Spending Benchmarks Project Report March 2009 ==

+

+

The Q1 2009 report of the OWASP Security Spending Benchmarks Project is now available. It can be found at the following link:

* Organizations that have suffered a public data breach spend more on security in the development process than those that have not.

+

+

* Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.

+

+

* Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.

+

+

* At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).

+

+

* Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.

+

+

== Raw Data ==

+

+

Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found [https://www.surveymonkey.com/sr_detail.aspx?sm=6RXm2J2aqar1MT7JlandR0MYzVFmx25FwQ9trvJH1JG4GcuRCMp3TAkaCJyNCQYrtI1Ny025AnORe0Y3lU%2bj7w%3d%3d here].

+

+

== Inquiries ==

+

+

Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.

== About the Security Spending Benchmarks Project ==

== About the Security Spending Benchmarks Project ==

Line 14:

Line 61:

−

Prior to releasing the survey we are asking colleagues to help us formulate the most appropriate questions. Your feedback is much appreciated. We want to use the survey answers to address the following questions and many others:

+

The survey was formulated with the help of our project partners to address the following questions and many others:

<ul>

<ul>

Line 24:

Line 71:

</ul>

</ul>

+

== Data Collection & Distribution ==

+

+

We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.

For data collection our current plan is to utilize the SurveyMonkey system for hosting of the survey. We will not be collecting any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we plan to take precautions to limit the potential while not creating unnecessary overhead. We may decide to control survey access via username/password, as well as through a trusted network of contacts. All information collected will be redistributed in report (PDF, HTML) as well as raw (CSV, XML, etc.) form.

Q2 Report Published - Focus on Cloud Computing

Software-as-a-Service is in much greater use than Infrastructure-as-a-Service or Platform-as-a-Service. Over half of respondents make moderate or significant use of SaaS. Less than a quarter of all respondents make any use of either IaaS or PaaS.

Security spending does not change significantly as a result of cloud computing. Respondents did not report significant spending changes in the areas of network security, third party security reviews, security personnel, or identity management.

Organizations are not doing their homework when it comes to cloud security. When engaging a cloud partner, only half of organizations inquire about common security-related issues, and only a third require documentation of security measures in place.

The risk of an undetected data breach is the greatest concern with using cloud computing, closely followed by the risk of a public data breach.

Compliance and standards requirements related to cloud computing are not well understood. Respondents report having the greatest understanding of PCI requirements relating to cloud computing and the least understanding of HIPAA cloud requirements.

Security Spending Benchmarks Project Report March 2009

The Q1 2009 report of the OWASP Security Spending Benchmarks Project is now available. It can be found at the following link:

Organizations that have suffered a public data breach spend more on security in the development process than those that have not.

Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.

Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training. 38% have a third party firm conduct a security review of outsourced code.

At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).

Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.

Raw Data

Transparency is a key principle of the OWASP SSB Project. For this reason all raw survey results are made available to the community. We welcome additional commentary and interpretations on the survey data. The raw survey data can be found here.

Inquiries

Please contact the project leader Boaz Gelbord (bgelbord at wgen dot net) if you have questions about the project or you would like to inquire about contributing to the project.

About the Security Spending Benchmarks Project

The Security Spending Benchmarks Project seeks to produce guidance and an industry accepted benchmark for justifying overall Web application security spending. We want to quantify how many dollars and human resources should be allocated towards the software development life-cycle, security training, security software/tools, independent third-party reviews, Web application firewalls, etc. This project is motivated by the fact that:

There are few, if any, industry standard benchmarks for executive management to consider when deciding what is a reasonable amount of resources to spend on Web application security in or out of the software development processes.

Many business initiatives require organizations to take “reasonable measures” and “adhere to best practices” for developing, delivering, and/or hosting secure Web application, but there is no industry consensus or data repositories on how this translates into monetary terms.

Producing a less secure Web application may be less expensive than producing a more secure version of the same software. Organization that have invested development resources into software security may not be able to charge a premium for this investment because there is no reference point for the investment.

The survey was formulated with the help of our project partners to address the following questions and many others:

What percentage of a Web application development groups headcount is dedicated towards security?

How much budget is allocated towards Web application security as a percentage of software development and overall operational IT security costs?

Where do Web application security budget come from?

How much budget is allocated towards security education?

Data Collection & Distribution

We utilize the SurveyMonkey system to host surveys conducted for the OWASP SSB Project. We do not collect any publicly identifiable information including names, addresses, employer, email addresses, etc. from the respondents. While we expect a limited number of respondents trying to intentionally skew the results, we take precautions to limit the potential while not creating unnecessary overhead. We control survey access via username/password, as well as through a trusted network of contacts. All information collected is made available through Survey Monkey.